Decommission a hybrid subnet
This page describes how to decommission a hybrid subnet.
If you no longer need Hybrid Subnets functionality—for example, because all on-premises workloads have either migrated to Google Cloud or been decommissioned—you can decommission a hybrid subnet. Decommissioning a hybrid subnet changes the hybrid subnet into a regular subnet and removes the unused components of the hybrid subnet.
Update Cloud Router custom advertised routes
The following sections describe how to replace the custom advertised routes that you created for each migrated workload with a single advertisement for the entire subnet.
Create a custom advertised route for the entire subnet
Create a single custom advertised route for the entire IP address range of the hybrid subnet that you are decommissioning. For more information, see Advertise specific VPC subnets.
Remove custom advertised routes for migrated workloads
Remove the /32
and other custom advertised routes that you configured on
your Cloud Router for individual migrated workloads. For more information,
see Remove custom advertised routes on a Cloud Router.
Disable hybrid subnet routing
Console
In the Google Cloud console, go to the VPC networks page.
Click the name of the VPC network that contains the subnet that you want to update.
Click the Subnets tab.
Click the subnet that you want to update.
Click Edit.
In the Hybrid subnet section, select Off.
Click Save.
gcloud
Use the gcloud beta compute networks subnets update
command.
gcloud beta compute networks subnets update SUBNET \ --region=REGION \ --no-allow-cidr-routes-overlap
Replace the following:
SUBNET
: the name of the subnet.REGION
: the region of the subnet.
API
Find the
fingerprint
ID of your subnet.Before using any of the request data, make the following replacements:
- PROJECT_ID: the ID of your project
- REGION: the region of your subnet
- SUBNET_NAME: the name of your subnet
HTTP method and URL:
GET https://compute.googleapis.com/compute/beta/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{ "kind": "compute#subnetwork", "id": "5514771331600183201", "creationTimestamp": "2022-09-16T12:41:02.010-07:00", "name": "subnet-name", "network": "https://www.googleapis.com/compute/v1/projects/project-name/global/networks/network-name", "ipCidrRange": "10.6.0.0/16", "gatewayAddress": "10.6.0.1", "region": "https://www.googleapis.com/compute/v1/projects/project-name/regions/us-central1", "selfLink": "https://www.googleapis.com/compute/v1/projects/project-name/regions/us-central1/subnetworks/subnet-name", "privateIpGoogleAccess": true, "fingerprint": "YiItidAFRsA5", "allowSubnetCidrRoutesOverlap": false, "enableFlowLogs": true, "privateIpv6GoogleAccess": "DISABLE_GOOGLE_ACCESS", "purpose": "PRIVATE", "stackType": "IPV4_ONLY" }
Disable
allowSubnetCidrRoutesOverlap
.Before using any of the request data, replace
SUBNET_FINGERPRINT
with the fingerprint ID of your subnet that you found in the previous request—for example,YiItidAFRsA5
.HTTP method and URL:
PATCH https://compute.googleapis.com/compute/beta/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME
Request JSON body:
{ "allowSubnetCidrRoutesOverlap": false, "fingerprint": "SUBNET_FINGERPRINT" }
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{ "kind": "compute#operation", "id": "5973660558170953708", "name": "operation-1680288003494-5f8368991917a-59bf1c92-1897c7c6", "operationType": "compute.subnetworks.patch", "targetLink": "https://www.googleapis.com/compute/beta/projects/test-project/regions/us-central1/subnetworks/subnet-name", "targetId": "5514771331600183201", "status": "RUNNING", "user": "[email protected]", "progress": 0, "insertTime": "2023-03-31T11:40:03.882-07:00", "startTime": "2023-03-31T11:40:03.893-07:00", "selfLink": "https://www.googleapis.com/compute/beta/projects/test-project/regions/us-central1/operations/operation-1680288003494-5f8368991917a-59bf1c92-1897c7c6", "region": "https://www.googleapis.com/compute/beta/projects/test-project/regions/us-central1" }
To verify that
allowSubnetCidrRoutesOverlap
is disabled for your subnet, make anotherGET
request and ensure that the response includes the following:"allowSubnetCidrRoutesOverlap": false
Delete ingress firewall rules
Delete the ingress firewall rules or firewall policies that you configured for migrated VMs. For more information, see the Cloud Next Generation Firewall documentation.
Remove unnecessary configuration
Consider the following:
- If you don't need proxy ARP on your on-premises router for another purpose, you can disable proxy ARP. For information about disabling proxy ARP, see the router's public documentation.
- If you don't need your on-premises subnet for another purpose, you can decommission the on-premises subnet.
If all your VMs have migrated to Google Cloud, and you no longer need connectivity between your on-premises and VPC networks, you can disconnect your on-premises and VPC networks. To disconnect your on-premises and VPC networks, complete the following steps:
Do one of the following, depending on how you've configured connectivity:
If you no longer need the Cloud Router that you configured for hybrid subnets, you can delete the Cloud Router.
If you no longer need on-premises firewall configuration that you added for Hybrid Subnets, you can remove it.